About 5 years ago, I scored an “8GB Wifi USB Flash Drive” pretty cheaply on eBay. Basically, you could copy files to it like a USB disk, and then access those files from an iPhone over WiFi. Simple idea – basically a “cloud storage” … except in your pocket, and it seemed like a handy device to have – an early “internet of things” device. However, it was both terribly clunky to use, as well as being incredibly slow to transfer files via either method. Quite a regrettable purchase overall.

I paid less than half this advertised price. The device is about the size of a pack of chewing gum.

So instead, I decided to see what else this little box could do. I pulled it apart, to find that basically, it was a bit like a smartphone just without a screen inside, complete with battery, processor and wifi. I used a simple tool (buspirate) to make a copy of (“dump”) the firmware. I then found the system files in that firmware, including the file that stored the passwords. While they were encryped, with a little educated guessing, and a reasonably high powered graphics card to do some heavy code breaking, I was able to decrypt (“crack”) the main device’s passwords in a matter of seconds – a whopping three seconds, to be precise. The brand was called “Zsun” – the product system password turned out to be “Zsun1188”.

For me, I was already aware that there were devices like this out there, but others may not be.
The lesson here is simple: Don’t trust your personal data to any platform or device, if it is made by any company that you don’t fully trust.

Zsun is just a example. For an idea about how much Zsun cared, they went on to use the same password on their future devices as well… if you google Zsun1188 you will find many people who have gone on further to hack these devices and do other fun things with them. Anyway, till next time!